PSEUDOPRIME REDUCTIONS OF ELLIPTIC CURVES 

C. DAVID & J. WU 

Abstract. Let E be an elliptic curve over Fp without complex multiplication, 
and for each prime p of good reduction, let ueIp) ~ \E(Fp)\. Let Qs.bix) be the 
^^ ■ number of primes p ^ x such that 6"^(p) = 6(modn_E(p)), and T^^'i^ix) be the 

^^ . number of compositive nsip) such that &"^(p) = b {mod nE{p)) (also called elliptic 

^~>' curve pseudoprimes). Motivated by cryptography applications, we address in this 

paper the problem of finding upper bounds for QE,b(x) and t:^™(x), generalising 
some of the literature for the classical pseudoprimes [6, 17] to this new setting. 
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f— ( ■ 1. Introduction 

The study of the structure and size of the group of points of elhptic curves over 
finite fields has received much attention since Kobhtz and Miller independently pro- 
posed in 1985 elliptic curve cryptography, an approach to public-key cryptography 
based on the algebraic structure of elliptic curves over finite fields. Those cryptosys- 
tems guarantee, in general, a high level of security with less cost in the size of the 
keys, whenever the order of the group has a big prime divisor. 

Let E be an elliptic curve defined over Q with conductor A'^^; and without complex 
^ \ multiplication (CM), and denote by E{¥p) the reduction of E modulo p. Writing 

QT) • nE{p) '■= |£^(Fp)|, it is an interesting problem to study the asymptotic behavior of 



o 
o 



(1.1) 7r^™(x) := |{p ^ X : nE{p) is prime}]. 

Here and in the sequel, the letters p, q and i denote prime numbers. Koblitz [11] 
conjectured that as a; — )■ cxd. 



cy'^x 



><: (1-2) T^'rix) . .,, 

^ . (logx)^ 

with an explicit constant C^™ depending only on E (see [5, (2.5)] for its precise 
definition). It is easy to see that if C^/"^ = 0, then 7r^'°(x) <t:E 1 for all x ^ 1. 
The asymptotic formula (1.2) can be regarded as the analogue of the twin prime 
conjecture for elliptic curves. As in the classical case, Koblitz's conjecture is still 
open, but was shown to be true on average over all elliptic curves [1]. One can also 
apply sieve methods to get unconditional or conditional upper bounds for 7r^™(a;). 
The best unconditional upper bound is due to Zywina [22, Theorem 1.3], and the 
best bound under the Generalised Riemann Hypothesis (GRH) is due to David & 
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Wu [5, Theorem 2]. For E an elliptic curve over Q without CM, and for any e > 0, 
those bounds are 



:i.3) nT\x) ^ 



twin 
I I^Z^O 

twin 



(24C|f '° + e) ^^ (unconditionally) , 

(logajjlogsx 

.^Q^twm ^ g) ^ (under the GRH), 
(logx)^ 



where log^ denotes the k-iold logarithm function. 

Let b ^ 2 he an integer. We say that a composite positive integer n is a pseudo- 
prime to base b if the congruence 

(1.4) 6" = 6 (mod n) 

holds. In practice, primality testing algorithms are not fast when one wants to test 
many numbers in a short amount of time, and pseudoprime testing can provide a 
quick pre-selection procedure to get rid of most of the pretenders. The distribution 
of pseudoprimes was studied by many authors, including [6, 17]. Motivated by 
applications in cryptography, the question of the distribution of pseudoprimes in 
certain sequences of positive integers has received some interest (see [3, 7, 14, 15, 18]). 
In particular Cojocaru, Luca & Shparhnski [3] have investigated distribution of 
pseudoprimes in {nE{p)}p primes- Define 

QE,b{x):=\{p^x : b''^^^^ =b{modnE{p))}\. 

According to Fermat's little theorem, if ueIp) is a prime such that ueIp) \ b, then 

(1.4) holds with n = nE{p)- Thus 

(1.5) 7r^"'°(x) ^ QeM 

for all X ^ 2. Cojocaru, Luca & Shparhnski [3, Theorems 1 and 2] proved that for 
any fixed base b ^ 2 and elliptic curve E without CM, the estimates 

'' a;(log3a;)2 



;i-6) QeA^) ^E,h < 



(loga;)log2X 
a;(log2a;)2 



(unconditionally) 
(under the GRH) 



(loga;)2 

hold for all x ^ 10, where the implied constant depends on E and b. 
The first aim of this paper is to improve (1.6). 



*We noticed that there are two inaccuracies in Cojocaru, Luca & Shparhnski's proof of (1.6): 
With the notation of [3], we have ti,{£) \ {nE{p) — 1) instead of tb{t) \ nsip) (see [3, page 519]). 
Thus the inequahty (see [3, page 520]) 

#r< ^ n{x;£p{h{m 

does not hold. Secondly the statements of Lemmas 3, 4, 6 and 7 of [3] are not true when (m, Me) 7^ 
1 (see Section 2 for the definition of Me)- Then, the proofs of Lemma 9 and 10 hold only for 
{m,ME) = 1. This is not sufficient for the proof bounding #7" since tb{£) is not necessarily 
coprime with Me- 
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Theorem 1.1. Let E be an elliptic curve over Q without CM and b '^ 2 be an 
integer. For any e > 0, we have 

T 1 Off T 

iASe' + e)-- — (unconditionally) 

;i.7) QeA^)^{ V 

(28e^ + e) %^^ ( under the GRH) 

[\ogxY 

for all X ^ Xq{E, b, e), where 7 is the Euler constant. 

Denoting by 'k{x) the number of primes not exceeding x, and by 7r^**'^'^(a;) the 
number of pseudoprimes to base b not exceeding x, then it is known that (see 
[6, 17]) 

(1.8) 7rr"(x) = o{n{x)) 

as X — > 00. Precisely Pomerance [17, Theorem 2] proved that ^ 

(1.9) <^^"(x) < -^= 

for X ^ a;o(&), where 

(1.10) L{x) ;=e('°s^)('°S3^)/iog2^. 

As analogue of 7r^'^'^"(a;) for elliptic curve, we introduce 

'^'eT^^) •= |{p ^ 2; : riEip) is pseudoprime to base 6}|. 

Clearly 

QeA^) = <'\^) + ^e7(^)- 
In view of (1.8), it seems reasonable to conjecture 

(1.11) <7(x) = o{n'rix)) 

as a; — )■ 00. 

In order to establish analogue of (1.9) for 7r^'^^"(a;), we need a supplementary 
hypothesis. 

Hypothesis 1.2. Let E be an elliptic curve over Q. There is a positive constant 6 
such that 

(1.12) ME{n) := J^ ^ ^^ ^^ 

p^x,nE{p)='n 

holds uniformly for n ^ 1 and x ^ 1, where the implied constant can depend on the 
elliptic curve E. 

By the Hasse bound \p + 1 — nE{p)\ ^ 2^, it is easy to see that 

(1.13) nE{p)/lQ ^p^ IQriEip) 

for all p. Thus the relation riEip) = n and the Hasse bound imply that \p—n\ ^ 9^/n. 
Therefore (1.12) holds trivially with S = ^ and an absolute implicit constant. It is 



^In [17], the definition of pseudoprime to base b is sliglitly stronger: 6"^^ = 1 (modn) in place 
of 6" = b (modn). It is easy to adapt Pomerance's proof of [17, Theorem 2] to obtain (1.9), as we 
do in this paper for the context of eUiptic curves pseudoprimes. See Section 5 for more details. 
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conjectured that (1.12) should hold for any 6 > (see [12, Question 4.11]). Kowalski 
proved that this conjecture is true for elhptic curves with CM [12, Proposition 5.3] 
and on average for elhptic curves without CM [12, Lemma 4.10]. 

The next theorem shows that we can obtain a better conditional upper bound for 
TT^'^i^ix) than 7r^'°(a;), which can be regarded as analogue of (1.9) for elliptic curves 
without CM. 

Theorem 1.3. Let E be an elliptic curve over Q without CM and b '^ 2 be an 
integer. If we assume the GRH and Hypothesis 1.2 with S < ^, we have 

(1.14) <7(a:) ^ "^ 



L{xy/^o 

for all X ^ Xo{E, b, 6). 

In view of Koblitz's conjecture (1.2), the result of Theorem 1.3 then encourages 
our belief in Conjecture (1.11). 

By combining (1.14) and the second part of (1.3), we immediately get the following 
result. 

Corollary 1.4. Let E be an elliptic curve over Q without CM and b ^ 2 be an 
integer. If we assume the CRH and hypothesis 1.2 with 5 < ^, for any e > Q we 
have 

(1.15) gs,,(x)^(ioc|r^° + £) "" 



(logx)^ 
for all X ^ xq{E, b, S,e). 

We can also consider the same problem for elliptic curves with CM. In this case, 
we easily obtain an unconditional result by using the bound (1.9) of Pomerance for 
pseudoprimes and a result of Kowalski [12] about the second moment of ME{n) for 
elliptic curves with CM. 

Theorem 1.5. Let E be an elliptic curve over Q with CM and b '^ 2 be an integer. 
Then we have 

X 



(1-16) <T(^) ^ J^^, 

for all X ^ Xo{E, b). 

It seems be interesting to prove that 

(1.17) ''i"£fe"(^) — ^ oo, as a; — 7- oo. 

We hope to come back to this question in the future. 

Acknowledgments. This first author was supported by the Natural Sciences and 
Engineering Research Council of Canada (Discovery Grant 155635-2008) and by a 
grant to the Institute for Advanced Study from the Minerva Research Foundation 
during the academic year 2009-2010. The second author wishes to thank the Centre 
de Recherches Mathematiques (CRM) in Montreal for hospitality and support during 
the preparation of this article. 



PSEUDOPRIME REDUCTIONS OF ELLIPTIC CURVES 



2. ChEBOTAREV density THEOREM 

In order to prove Theorems 1.1 and 1.3, we need to know some information on the 
distribution of the sequence {ns(p)}p primes in arithmetic progressions. The aim of 
this section is to give such results with the help of the Chebotarev density theorem. 
Our main result of this section is Theorem 2.3 below. 

We conserve all notation of [5, Sections 2 and 3]. In particular, for an elliptic 
curve E without complex multiplication defined over the rationals, let E[n] be the 
group of n-torsion points of E, and let let L„ be the field extension obtained from 
Q by adding the coordinates of the n-torsion points of E. This is a Galois extension 
of Q, and we denote G{n) := Gal(L„/Q). Since E[n]{Q) ~ Z/nZ x Z/nZ, choosing 
a basis for the n-torsion and looking at the action of the Galois automorphisms on 
the n-torsion, we get an injective homomorphism 

Pn : G{n) ^ GL2(Z/nZ). 

If p I uNe, then p is unramified in L„/Q. Let p be an unramified prime, and let 
ap be the Artin symbol of Ln/Q at the prime p. For such a prime p, Pnio'p) is 
a conjugacy class of matrices of GL2(Z/nZ). Since the Frobenius endomorphism 
{x,y) H- [x^^yP) of E over ¥p satisfies the polynomial x^ — aE{p)x + p, it is not 
difficult to see that 



tr(p„(o-p)) = aE{p) (modn) 



and 



det(p„((Tp)) =p(modn). 



To study the sequence {nE{p)} 



p primes 



, we will use the Chebotarev Density Theorem 
to count the number of primes p such that 

fiEip) = p+1 - ttEip) = det(p„(o-p)) + 1 - tr(p„(o-p)) = r (modn) 

for integers r, n with n ^ 2. We then define 

Cr{n) = {g E G{n) : det{g) + 1 — tT{g) = r (modn)} . 

Then, the Cr{n) are unions of conjugacy classes in G{n). We also denote G{n) : = 
Co(n). For any prime i such that {i, Me) = 1, G{i) = GL2(Z/£Z), and it is easy to 
compute that 



(2.1) 



and then 



la 



i{f-2) forr = 0(mod£) 

i{f-i-l) forr = l(mod£) 
i{f-i-2) forr ^0, l(mod. 



(2.2) 



I a 



-2 



\G{i)\ 





i)2(£ + i) 




1)2(£+1) 

-£-2 



L(£-l)2(£+l) 



for r = (mod £) 
for r = 1 (mod£) 
for r ^ 0, 1 (mod J 
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It was shown by Serre [19] that the Galois groups G{n) C GL2(Z/nZ) are large, 
and that there exists a positive integer Me depending only on the elliptic curve E 
such that 

(2.3) If {n,ME) = 1, then G{n) = GL2(Z/nZ); 

(2.4) If (n, Me) = (n, m) = 1, then G{mn) ~ G{m) x G{n); 

(2.5) If Me I m, then G{m) C GL2(Z/'mZ) is the full inverse image of 
G{Me) C GL2(Z/M£;Z) under the projection map. 

Let 

nc,(n)ix,Ln/Q) ■■= \{p ^ X ■.p\nNE and pn{(yp) e Cr{n)]\ . 

The following proposition (with a better error term) was proved in [5, Theorem 3.9] 
for the conjugacy class C{n) = Go{n) C G{n) when n is squarefree, and can be 
easily generalised to general n and r. 

Proposition 2.1. Let E be an elliptic curve over Q without CM. Let r ^ Q he an 
integer, and let n = dm be any positive integer with {d, Me) = 1 and m \ Me^ ■ ^ 
(i) Then, 

.,,U.,L„m - ^(np^^i|^)Li(^)+0.(-xp{-A„-^V^} 

uniformly for log a; ^ n-'^^logn, where the implied constants depend only on the 
elliptic curve E and A is a positive absolute constant. 

(ii) Assuming the GRH for the Dedekind zeta functions of the number fields Ln/Q, 
we have 

.,,,„, ,., ,,./Q) ^ ^ ( n ^^i^) L'(-) + O. {nV>^ log (..)) . 

Proof. To prove (i) and (ii), one applies the effective Cheboratev Density Theorem 
due to Lagarias and Odlyzko [13] and slightly improved by Serre in [20], as stated in 
[5, Theorem 3.1] with the appropriate bounds for the discriminants of number fields 
[20, Proposition 6], and the bound of Stark [21] for the exceptional zero of Dedekind 
L-functions for (i). We refer the reader to [5] for more details. D 

Remark 1. There are many cases where we can improve the error term in Proposition 
2.1 (ii) by applying a strategy first used in [20] and [16] to reduce to the case of an 
extension where Artin's conjecture holds. The error term then becomes 

Oij (n^/V/2 log (na;)). 

This can be done if r = (as in [5, Theorem 3.9]), or if (n. Me) = 1 for any r. To 
apply the strategy of [20] and [16] and obtain this improved error term, one needs 
to insure that Grin) fl B{n) ^ 0, where B{n) is the Borel subgroup of GL2(Z/nZ). 
For example, this is the case if i? is a Serre curve, and most elliptic curves are Serre 
curves as it was shown by Jones [10]. 



*The notation d \ n°° means that p \ d ^ p \ n and the notation p'^||n means that p*' \ n and 
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We now need upper and lower bounds on the size of the main term of Proposition 
2.1, which are computed in the next lemma. 

Lemma 2.2. Let E be an elliptic curve over Q without CM. For all primes i\ Me 
and integers k ^ 1, we have the bounds 

(2M) 1 ,^^ \cAe)\ ^ 1 



if{i^) £-1 |GL2(Z/£'=Z)| v'(£'^) 

when r ^ (mod£), and the bounds 

1 £-2 \CJt)\ 1 / 

(2.7) —-— <- ' ;^ /,' ,, < —r-rri 1 + 



^{P") l-\ |GL2(Z/£'=Z)| " ^{p") \ (£3 - 1)(£2 _ 1) 

when r = (mod£). 

Furthermore, form \ Me°^ such that \Cr{m)\ ^ 0, we have that 

, , 1 \Cr{m)\ 1 

(2-8) ^— <^E ' ; ,1 <s 



(/9(m) 1^(772)1 (^(m) 

with constants depending only on the elliptic curve E. In particular, the upper bound 
in (2.8) holds without the hypothesis \Cr{m)\ 7^ 0. 

Proof. Fix a. \ Me and /c ^ 1. To count the number of elements in Crii'^), we count 
the matrices g G GL2(Z/£*^Z) which are the inverse images of a matrix g G Cr{i) 
under the projection map from GL2(Z/£'^Z) to GL2(Z/£Z), and which satisfy 

det(^) + 1 — tr (^) = r (modn). 

Let 

a b\ ^ fa b 



'=\c d)^ 3-\c d 

If 6 ^ (mod£), then b is invertible, and we have to count the number of a, b, c, d 
lifting a, b, c, d such that 

dd- (d + d) ~ r + I . ^ ^t,, 

c = ^ ^^ (modr), 

b 

and there are £3(fc-i) g^pj-^ ijf^g^ Similarly if c ^ (mod£). 

If a ^ 1 (mod£), then a — 1 is invertible, and we have to count the number of 

a, b, c, d lifting a, b, c, d such that 

7 dr + be- 1 + d . , ^t, 

d = z (modr), 

a — 1 

and there are £3(fc-i) g^ch lifts. Similarly if d ^ 1 (mod£). This proves (2.6) as the 
identity matrix does not belong to Cr{i) when r ^ O(mod£). Then, the number 
of lifts of any matrix from Cr{i) to Cr{t') is £3(fc-i)^ ^^^ ^j-^g number of lifts from 

GL2(Z/£Z) to GL2(Z/£^Z) is ^^(fe-i)^ ^hjch gives 



|GL2(Z/rZ)| r(fe-i)|GL2(Z/£Z) 
and the result follows by using (2.2). 
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Finally, we have to count the number of lifts 

'I + M hi 
hi 1 + hi 

of the identity matrix such that (?{hkA — hh) = "^ (mod£^), where ^ /cj < (!.^~^. 
We assume that k ^ 2. If r ^ (mod£^), there are no lifts, and there are i^ lifts if 
r = (mod£^). Let v = ininiVe{h), where f^(n) is the £-adic evaluation of n, and 
write h = i^K with ^ A;^ < i''~^~'". If r ^ (mod£^+^), there is no solution with 
h,h,h,h such that v = miniiVi^h)- Suppose that r = (mod^^"*"^). Then we 
need to solve 

£2+"(A;;A;; - k^kt^) = e+^r' {modt) ^^ {k[k'^ - k'^k'^) = r' (mod^'^-^"^). 

Without loss of generality, V£{k[) = 0, and 

r' -I- h' h' 
k'.^'—pl^imodi'"''-^), 

and there are ££3(fc-i-'u) golutions k[, k'2, k'^, k'^. The number of lifts of the identity 
matrix is then bounded by 

(2.9) £^£3(fc-l-.) ^ ^^3(/c-l) ^^-3. ^ £^3(fc-l)_^. 

We now prove (2.7). Using (2.9) and the first formula of (2.1), it follows that 

t-'\a,{t)\ ^ \Crm ^ ti{e - 1) 



|GL2(Z/£'^Z)| GL2(Z/£Z) GL2(Z/£Z) 

~ (£-l)(£2-l)(£3_l)' 

For the lower bound, we have 

e-^\Cr[t)\ \Cr[ii)\-\ _ i{e-i)-\ e-2 

|GL2(Z/£'=Z)| ^ GL2(Z/£Z) ~ £(£-l)(£2-i) ^ (£-1)2' 
We now prove (2.8). Let m' = n j9mm(Dp(m),i;p{M£;))^ where Vp{m) is the p- 
adic evaluation of m. By (2.5), G{m) is the full inverse image of G{m') under 
the projection map from GL2(Z/mZ) to GL2(Z/'m'Z). Fix g G Crim'), and we now 
count the number of lifts g in Cr{m). By the Chinese Remainder Theorem, it suffices 
to count the number of lifts from Cr{p"^'^"^ •*) to Cr{p'"^^'^^) for each p\ m. In general, 
fix 1 ^ e ^ /c, fix (7 G GL2(Z/p'^Z) such that det(5') + 1 — tT{g) = r (modp^), and we 
count the number of lifts g G GL2(Z/j9^Z) such that det(^) + 1 — tr(^) = r (modp'^). 
If g is not congruent to the identity matrix modulo p, then the same argument as 
above shows that there are 

(2.10) p=^(^-") 

lifts of g. If g is congruent to the identity matrix modulo p, we have to count the 
number of matrices 

~ _ A + kip'' k2p'' \ 
^ ~ I k^p^ 1 + kip^J 
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such that p^^(A;iA;4 — k2k3) = r {modp^), where ^ ki < "p^^^ . If 

r ^ (mod mill (p jP^*^)), 

there are no hfts, and we suppose that r = (mod min [jj^ ^ P^^))- Let v = miuj Vp{ki), 
and write ki = ^"k'^ where ^ f < A; — e and ^ A;^ < p^~'^~'". The congruence 
above rewrites as 

(2.11) p^'+^ik'^k'^ - k'^k'^) = r (mod/). 

If 2e + f ^ A;, (2.11) has ^^(fc-e-i)) solutions when r = (modp*^) and no solutions 
otherwise. If 2e + f < A;, assume that r = (mod {p^'^^'")) (otherwise (2.11) has no 
solutions). Writing r = r'p'^^^'", (2.11) rewrites as A;'^A;4 — A;2A;3 = r' (modp'^"^'^"'") 
and this leads to ^^^^{fc-e-i;) solutions k[, k'21 k'^, k'^. Then, the number of lifts of the 
identity matrix from Crip'^) to Cr{p^) is bounded by 

^k-e-v) ^ p3ik^e)pe_^ ^ p"' ^- 

(2.12) — — p3_l p4_l 

2e+v<k 2e+v^k 

^ p3{fc-e)p4e+l_ 

Then, applying (2.12), we have that 

\Cr{m)\ \Cr{m')\ p3K(m)-«p(m'))p4^p(™')+l 



k-e-1 






k-e-1 


>: 


V^T) ^ 


-) + 


>>■ 


D = 






v=0 


2e+v<k 






2e+v^k 



\G(m)\ \G(m')\ J-i p4{v,{m)-v,{m')) 

p\m 



\Cr{m')\ 



\G(m')\ (p(m, , 

p\m 



m 1 J- J- 



\Cr{m')\ 



\G{m')\ ip{m) 

Finally we suppose that |Cr(Tn)| 7^ and prove the lower bound in (2.8). Denoting 
by Gr{Tn')^ the subset of Gr{Tn') consisting of matrices not equivalent to the identity 
matrix modulo p {Gr{m!)^ is not empty since |Cr(T?2)| 7^ 0), and applying (2.10), we 
have that 

\Gr{m)\ \Cr{m%\ ^ j93K(m)-^p{m')) 



\G{m)\ \G{m')\ ii p^KM-^pC™')) 

p\rn 

^ 1-r 1 -,-r (p-l)p-^("^')|a(mO^ 

1 



ip{in) ' 

and the lower bound in (2.8) follows from the last two inequalities. D 

Theorem 2.3. Let E he an elliptic curve over Q without CM. Let r ^ Q be an 
integer, and let n = dm be any positive integer with {d, Me) = 1 and m \ Me^ ■ 
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(i) We have that 

T i ( 'T* I f N 

lip ^ X : UEip) = r (modn)}| <^e — r^ + a^exp < — An~'^\/\ogx> 

(p{n) I J 

uniformly for logo; ^ n^'^logn, where the implied constants depend only on the 
elliptic curve E and A is a positive absolute constant. 

(ii) Assuming the GRH for the Dedekind zeta functions of the number fields L^/Q, 
we have that 

Lii(x) 
\{p ^ X : UEip) = r {mod n)}\ <tiE — --^ + n^x^''^\og{nx). 

(iii) Assuming the GRH for the Dedekind zeta functions of the number fields Ln/Q, 
we have that 

LiUx) 
\{p ^ X : nE{p) = r (modn)}| <^e 



ip{n) 

holds uniformly for n ^ x^^^/ \ogx, where the implied constant depends only on the 
elliptic curve E. 

Further if r = or (n, Me) = 1, then the condition n ^ x^'^/\ogx in the third 
assertion can be relaxed to n ^ x^l^ j log a; and the term rc'x"^^'^ log(nx) in the second 
can be replaced by n^'^x^'^ log(nx). 

Proof. It follows from the estimates of Lemma 2.2 that 

\Cr{m)\ fyr \Cr{e)\ \ _1 1 _ 1 

\G{m)\ yi-^l-JGU{Z/m)\J ^"^ v{d)v{m) ^{uY 

and first two statements are obtained by using this upper bound in the estimates of 
Proposition 2.1 for 

'Kcr{n){x, Ln/Q) = \{p ^ X : He^p) =p+1- oe^p) = r (modn)}| . 

We now prove (iii). If |Cr(T?2)| = 0, Proposition 2.1 implies trivially the required 
inequality, and we suppose that |Cr(m)| ^ 0. Clearly, it is sufficient to show that 

r2 13) 1 ,, \Cr{m)\ (yr |a(f^)| \ 1 



^{n)\og^n " \G{m)\ \^^^^\GU{'L/^^'L)\J " ^(n) 



\Cr{t)\ ^ 1 



It follows from Lemma 2.2 that 

and the lower bound of (2.13) follows from (2.14), (2.8) and the estimate 

11^-1 ^11 £-1 ^ logan' 

e\d e\n ^^ 

This completes the proof of the Theorem. D 
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3. ROSSER-IWANIEC'S LINEAR SIEVE FORMULAS 

We state in this section the Rosser-Iwaniec hnear sieve [9, Theorem 1], which 
will be used in the proof of Theorem 1.1. It is worth indicating that the Selberg 
linear sieve [8, Theorem 8.4] cannot be applied for our purpose since the condition 
($72(1, L)) of Selberg's linear sieve (see [8, page 228]) is not satisfied by the function 
Wy{i). But the corresponding condition (Qi) of the Rosser-Iwaniec's sieve is satisfied 
by the Wy{i) (see (4.5) below). 

Let v4. be a finite sequence of integers and V a set of prime numbers. As usual, 
we write the sieve function 

S{A,V,z):= \{aeA: {a, P{z)) = 1}\, 

where 

(3.1) P{z):= n P- 

p<z,pe'P 

Let B = E{V) denote the set of all positive squarefree integers supported on the 
primes of V. For each d & B, define 

Ad := {a E A : a = (mode?)}. 

We assume that A is well distributed over arithmetic progressions (mod d) in the 
following sense: There are a convenient approximation X to |^| and a multiplicative 
function w{d) on B verifying ^ 

{Aq) < w{p) <p (peV) 

such that 

(i) the "remainders" 

(3.2) r{A, d) := \Ad\ - ^X {d G B) 

d 

are small on average over the divisors d of P{z); 
(ii) there exists a constant K ^ 1 such that 

V{Z2) log 2:1 V \ogziJ 

where 

w{p) 



V(z) := n ( 



d 

p<z 



The next result is the well known theorem of Iwaniec [9, Theorem 1]. 
Lemma 3.1. Under the hypotheses (Aq), (3.2) and (fii), we have 
S{A, V, z) ^ XV{z){F{s) + E} + 2''''R{A, M, A^), 
where < e < |, s := (log MiV)/ log z, E < es^gX _^ ^-Sg^-sQ^g^jy^-i/s ^^^ 



p<z 



^Since we need (3.2) below only for d \ P{z), we are freely to define w{p) — ior p ^V. 
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The second error term R{A, M, N) has the form 

R{A,M,N) := ^ a„,bnr{A,mn), 



■m<M,n<N 
mn\P(z) 



where the coefficients Om, bn are bounded by 1 in absolute value and depend at most 

on M, N, z and e. 



4. Proof of Theorem 1.1 
As in [3], introduce 

and 

S{x, y, z) := {p^x : {riE^p), L) = 1}, 

T{x,y,z) := {p ^ X : {nE{p),L) > 1, b'^'^^^^ = b{modnE{p))}. 
Clearly 

(4.1) QE,bi^)^\S{x,y,z)\ + \r{x,y,z)\. 

First we estimate \S{x,y,z)\. 

Lemma 4.1. Let E be an elliptic curve over Q without CM and b ^ 2 be an integer. 
For any e, there is a constant yo = yo{E, b,e) such that 
(i) We have 

(4.2) \S{x,y,z)\^ie'' + e) /"^^y 

(log x) log 2; 

uniformly for yQ ^ y ^ z ^ {logxY^"^^/ log2 x. 
(ii) // we assume the GRH, we have 

(4.3) \S{x,y,z)\<:{e' + e)-^^^^ 

(logxj iOgZ 

uniformly for y^ ^ y ^ z ^ a;-'^/-'^*'/(loga;)^. 

Proof. We shall sieve 

=2/ := {nE{p) : p ^ x} 

by 

^y.= {p ■■ P> y]- 
By definition, |iS(x, y,z)\ = S{£^, ^y, z) for all 1 ^ y ^ z ^ x. 

Without loss of generality, we can suppose that yo ^ Me + b. Thus we have 
{d,ME) = 1 for all d G B{^y). Using Proposition 2.1 (with the improved error 
term discussed in the remark following the proposition under the GRH) and (2.2), 
we get that 

(4.4) |^,| = !^X + r«rf) 
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for all d e B{^y), with 

X = U(x) 



(4.5) 



-^(^)- (£-l)(;'-l) (^^^^)' 



xe 



-Ad ^ Vlog X 



{d<: (log X) 1/12/ log2x) 



|r(=c/,rf)| <E , , , 

' ^3/23,1/2 iog(^a,) (under the GRH), 

where A > is a positive absolute constant. 

In order to apply Lemma 3.1, we must show that Wy{i) satisfies conditions (Aq) 
and (f^i). The former is obvious, and we now check the latter. Writing 

(4.6) K,„)..n(i-^)" 

then 

VyjZl) ^ VM) 

Vy{Z2) ^ Vi{z2) 

for all Z2 > Zi '^ 2. On the other hand, by using the prime number theorem, it 
follows that 

wi{p)' 



vi(^)=n(i 



P 



'"' ^nO-^)n('-,p-i)3(p.i) 



1 + 



p — p — 1 
{p 

1 \ 1 Ce-^ 



log 2;/ J logz ' 
where 7 is the Euler constant and 

p"^ — p — 1 



c:=n 1 



(p_l)3(p+l) 

I-' 

Clearly this implies that for any 2 ^ zi < Z2 



Vi{z2) \ogzi { Vogzi 

and (4.6) and (4.8) show that the condition {Qi) is satisfied. Therefore we can apply 
Lemma 3.1 to write 

(4.9) S{£^, I^y, z) ^ (e^ + e)XVy{z) + Rs, 
where 

Rs:= J] 2'^('^V(-^>^)I- 

d\P(z) 

In view of the bounds for |r(^, d)\ of (4.5), we can deduce that 

(4.10) Rs<t:x/{\ogxf 
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for all 

{(log x) ^/^^/ log2 X (unconditionally) , 
a;Vi7(logx)4 (under GRH). 

On the other hand, in view of (4.7), we have for any z > y, 
(412) v,(.) = M-U + 0( ' ^1'°" 



Viiy) I VogyJ }\ogz 

Inserting (4.10) and (4.12) into (4.9), we obtain the required results. D 



In order to estimate \T{x, y,z)\, we need to prove a preliminary result. For integers 
6^2 and d ^ 1, denote by OTdd{b) the multiplicative order of b modulo d (i.e. the 
smallest positive integer k with b'' = 1 (mode?)). 



Lemma 4.2. For all t ^ 1 , we have 



e>t 



1 
£ord£(6) ^^ tV2' 



Proof. Let < rj < 1 he a parameter to be choosen later. We have 

v-^ v^ logfft'" — 1) log6 

4.15 > 1 ^ > 1 < -^^ ^ — ^m. 

^ ^ ^^ ^^ log 2 log 2 

ordi(b)=m 

Thus 

ord<.(fe)<^'' ord^{b)=m 

A simple partial summation leads to 

ord^{6)<^'' OTdi{b)<l^ 

On the other hand, we have trivially 

ordi{b)^e'^ 

Combining these estimates and taking r] = |, we obtain (4.13). 
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Similarly we have 

V ^ V ^ 1 



^ iordAb) ~ ^ ^ iordAb) 



«e4 e 



2^ / ^ £l+»7 

fc>l £>(2-'=t)i/(l+'7) 



1 



^'' tv/ii+v) 
The inequality (4.14) follows from these estimates with the choice of 77 = |. D 

We now estimate \T{x,y,z)\. 

Lemma 4.3. Let E be an elliptic curve over Q without CM and b ^ 2 be an integer. 
Then there is a constant yo = yo{E, b) and a positive absolute constant A such that 
(i) We have 



(4.16) |T(x,|/,z)| <g,fe Li(a:) J^ +xexpl-Az '^^/\ogx\ 



uniformly for 

(4.17) yo ^y<z<: {log xy/^yiog^x. 
(ii) // we assume the GRH, we have 

(4.18) \nx,y,z)\ «^_,Li(x)i^ + zV/2 

yl/2 

uniformly for 

(4.19) yo^y<z. 

The implied constants depend on E and b only. 
Proof. If riEip) is ^ pseudoprime to base b and d \ UeIp) with {d, b) = 1, then 
d I UEip) I b{b''^^P^-^ -1) ^ d\ (6"^(p)-i - 1) ^ 5«s{p)-i ^ I (modrf). 
Using Fermat's little theorem, it follows that 

(4.20) nE^p) = (mode?), ue^p) = 1 {mod OTdd{b)) , (rf, ordrf(6)) = 1. 

By the Chinese remainder theorem, there is an integer Vb^d G {1, . . . , doTdd{b)} such 
that riEip) = ''^'h,d (mod(iordd(6)). 

Clearly for each p G T(x, y, z), there is a prime (i such that 

(4.21) |/^£<z, £|(L,nB(p)) and nB(p) | 6"^^^) - 6. 
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Applying (4.20) with d = i, we have 



\nx,y,z)\^ 5^ J2 



UE (p)=ri,^i (mod lordfXb)) 



Then, using (i) and (ii) of Theorem 2.3 with the bound ^p(n) ^ n/log2ra, we have 
that 

(4.22) \r{x,y,z)\ <^EU{x){\og,z) J^ ^-^ + i?^, 



y<£^z 



£oTde{b) 



where 



Rr-= < 



(4.23) 



yj xexp < — A£ "^ \/log X \ {z ^ (loga;)-^/^^/log2 
'<e^z 

J2 ^^a;^/^ log(£\) (under the GRH) 



•exp< — Az '^^y\ogx> (2; ^ (log x)^/^^/ log 
0^x^/2 (under the GRH). 



The required results follow from (4.22), (4.23) and (4.13) of Lemma 4.2. D 

Taking, in Lemmas 4.1 and 4.3 

{(log2 x)^ logg X (unconditionally) , 
(loga:)^ log2a; (under the GRH), 
(log x) ^/'^'^/ log2 X (unconditionally) , 
x^/^'^/logx (under the GRH), 

which satisfy (4.11) and (4.17), and using the bounds of those lemmas in (4.1), this 
proves Theorem 1.1. 

5. Proof of Theorem 1.3 

We shall adapt Pomerance's method [17] to prove Theorem 1.3. 
We divise the primes p ^ x such that ueIp) is pseudoprimes to base b into four 
possibly overlapping classes: 

• nE{p) ^ x/L{x); 

• there is i \ nE{p) with ord£(6) ^ L{x) and i > L{x)^; 

• there is i \ UeIp) with ord£(6) > L{x); 

• nE^p) > x/L{x), for all i \ ue^p), we have i ^ L{xY; 

and denote by Si, . . . , S4 the corresponding contribution to 7rg^^(x), respectively. 
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A. Estimate for Si 

In view of (1.13), it follows that 

(5^1) S,« Y. 1«^. 

psil6x/L{x) ^ ' 

B. Estimate for S2 
Clearly 

orde(b)^L{x)^\nE{p) 

Using (iii) of Theorem 2.3 with r = and (4.15), we deduce that the contribution 
of L{x)^ < i ^ x^/^/logx to 5*2 is 

Eijl(^XJ X ^ — > X 

L{xf<£^x^/y\ogx ^^ ^ ^ ^ orde{h)i:L{x) ^ ^ 

ord^(fe)s£L(x) 

Furthermore, using Hypothesis 1.2 with 5 < I, we have 



E Ei« E E E 1 

x'^/^/\ogx<eii2xm^2x/e p^x 
orde{b)^L{x) nE{p)=m 

«^ E E (^^)' 

x-*-' ^/logz< 
ord^{b)^Z 

x^'^ / \ogx< 
ord^{b)^Z 



x^/^/\ogx<e P^^ x^/-'/logx<ei:2xmi:2x/e p^x 

OTde{b)^L{x) ^I"b(p) orde{b)^L{x) nE{p)=m£ 



x^/^/\ogx<e.!^2xm^'ix/l 
ordeXb)!^L{x) 






using (4.15). 

Combining these estimates yields 

(5.2) ^2 <^E "" 



Lix) 



C. Estimate for S3 

Up is counted in S3, then there is i \ nE{p) with ord^(6) > L{x) (which implies 
i > L{x) > h). Applying (4.20) with d = i, there is an integer rb^i G {1, . . . , £ord^(6)} 
such that UEip) = Tb,^ {mod doidd^b)) . Since UEip) ^ p + 1 + 2^ ^ 4p ^ Ax, we 
must have £ord^(6) ^ 4x. Thus 

(5.3) ^3< E E 1- 

ord^(6)>L(x) nE{p)=rb,i{raodlordi(b)) 
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If ioTdi{b) ^ x^'^/ \ogx, then by Theorem 2.3(iii) 



y: 1 «E "^^^"^ 



and using again the bound (p{n) ^ n/log2n, the contribution of those i to S^ is 
bounded by 



ELi(x) Li(a;)log2a; ^^ 1 

Moideib)) ^^ Lh!) ^ 1 

ord^(6)>L(a;) 

Li(a;)(log2a;)2 



With the help of Hypothesis 1.2 with 5 < ^ and (4.14) of Lemma 4.2, the contri- 
bution of x^/^/logx < £ord^(6) ^ Ax to S^ is bounded by 

E E E 1 

xi/S/loga;<tord^{b)^4a; 0^m^4a;/tord^(fe) p^a: 

™B(p)=''6,£+™^oi"df{^) 

<E 5^ J2 in,i + mioTde{b)Y 

2:1/8/ log a;<tord^{6)^4a;0^m^4x/tord^(fe) 

^"^ ^ ford, (6) 

2:1/8/ log a;<tord^(6)^4a; 

«i,xi+^'i/2Moga;. 
Inserting these estimates into (5.3), we find that 

(5.4) S3«.^. 



D. Estimate for S4 

In order to adapt the proof of [17] to the more general definition (1.4) of pseudo- 
primes (which includes the case where b and n are not coprime), we write ueIp) = 
n'^{p)n"^{p) with n'^{p) \ b°° and {n'^{p),b) = 1. Denote by 6*4 and S'^ the contribu- 
tion of n'^{p) > x^l"^ and n'^{p) ^ x^/^ to 5*4, respectively. 
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By the Hasse bound (formulated as the statement of Hypothesis 1.2 with 5 = |), 
we have 



d\b°° {m,h)=ln'j^{p)=d,n'^{p)=m 



<£; ^ ^ {dm] 

x'^/^<d^4x'm^4x/d 
d\b°° 

3/2 



1/2 



< E 



X 

~d 



x^/^<d^4x 
d\b°° 



li p is counted in 6*4, then n'^{p) > x^^^/L(x) and all prime factors of n"^{p) are 
^ L{xY. Thus n"^{p) must have a divisor d with x^^^^ < d ^ x^l^"^ and (rf, 6) = 1. 
Thus, by the comment following (4.20), nE{p) = Ti^^d (mod(iordrf(6)) for some residue 
rfe(i, and by Theorem 2.3, we have 



S4 < E E 

x^/^^<d^x^i 
{d,b)=l 



xl/l8<d^a;l/l7 p^x 

id,b)=l nE(p)=rt^d{inoddc.rda{b)) 



X 

doTdJb) 

1/17 "^ ' 



a;l/l8<d^a;l/ 

v^ 1 V^ 1 

^X } - } -■ 

ord(j(fe)=m 

With the help of the following inequality (see [17, Theorem 1]) 

E l^^fTTf (O ^o(&), m ^ 1), 

ord;j(6)=m 

a simple partial integration allows us to deduce that 

,1/17 



i/i8<d<xi/i7 "'^ ' ds;t ^ ^ 

ord(i(6)=»n 

and 5*4 '^e x(\ogx)L{x)^^/^'^ . Thus 



a;l/i8<(i^a,i/i7 "'^ ' d^t 

ordd(6)=m ordd(b)=m 



(5.5) 5*4 — 5*4 + 5*4 't^E,b y , N + r/ \i/S7 ^ 



L{x) L(a;)i/37 - L(a;)V38 
The statement of Theorem 1.3 then follows from (5.1), (5.2), (5.4) and (5.5). 



20 c. david & j. wu 

6. Proof of Theorem 1.5 



First write 



<:r(^) = E 



n^(p) is pseudoprimc to base b 

^ J2 ME{n). 

n^Ax 
n is pseudoprimc to base b 



By using the Cauchy-Schwarz inequality, it follows that 
(6.1) <T{^)< {<''^{^^)y\j2 Me 



1/2 / ..-^ \ 1/2 

n) 



n^Ax 



To bound the second sum on the right-hand side of (6.1), we use a result of Kowalski 
[12] who proved that for a curve E with complex multiplication and for any e > 0, 

(6.2) Yl ^^(^)' « n \i~e - 

^-^ (logx)^ ^ 



n^Ax 



We remark that in [12], there are no curves with complex multiplication defined over 
Q as the field of complex multiplication must be included in the field of definition 
of the elliptic curve. Then, (6.2) is first proven for the sequence {n£;(p) = #i?(Fp)} 
associated to E^ where p runs over the primes of the CM field [12, Theorem 5.4]. 
This first result can then be used to deduce the upper bound (6.2) by separating 
the rational primes into ordinary and supersingular primes of -E, and by using [12, 
Theorem 5.4] to obtain (6.2) (see [12, Proposition 7.4]). 

Theorem 1.5 then follows by replacing (6.2) and (1.9) in (6.1). 
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